Cyber Resilience

CVE-2023-21682

Medium

Published: 10 January 2023

Published
10 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0914 92.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-21682 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Windows Point-to-Point Protocol (PPP) contains an information disclosure vulnerability tracked as CVE-2023-21682 and assigned CWE-125. The flaw affects the PPP implementation in Windows and carries a CVSS 3.1 base score of 5.3 reflecting a network-reachable read of limited sensitive data without authentication or user interaction.

An unauthenticated remote attacker can send crafted network traffic to a vulnerable Windows system running PPP and obtain partial memory contents. The attack requires no privileges or user action and results only in confidentiality impact, with no integrity or availability consequences.

Microsoft has published remediation guidance and patches through its Security Response Center at the referenced advisory URL. The EPSS score has remained flat at 0.0914 with no material increase since disclosure.

EU & UK References

Vulnerability details

Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1607
all versions
microsoft
windows 10 1809
all versions
microsoft
windows 10 20h2
all versions
microsoft
windows 10 21h2
all versions
microsoft
windows 10 22h2
all versions
microsoft
windows 11 21h2
all versions
microsoft
windows 11 22h2
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References